Hi Adrian On Sat, 13 Apr 2024 at 13:33, Adrian Bunk <[email protected]> wrote: > > On Sun, Mar 31, 2024 at 10:12:34PM +0800, Sean Whitton wrote: > >... > > - looks like backporting the old branches is what's done in bullseye and > > bookworm; do you know of some reason we're not doing this for buster too? > > bind9 in buster provides shared libraries, > with soversion changes in every release.
That is a bummer. That will not work. I'll look at backporting patches. > > - CVE-2023-50387 and CVE-2023-50868 are both DoS vulnerabilities for > > DNSSEC. The fixes for CVE-2023-50387 is large, and I am not sure > > there is one for CVE-2023-50868 for bind-9.11. > > It's the same fix for both. Do you mean that these fixes mentioned in CVE-2023-50387 also solve CVE-2023-50686? https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67 (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718 (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614 (v9.16.48) > > I think that these fixes are too intrusive to fix by backporting, > > unless we decide to start backporting whole upstream 9.11.y releases. > >... > > Fixing KeyTrap might be possible. > > The change that breaks ABI looks unnecessary to me even when including > the commit that introduces it, which might anyway not be desirable since > it might break existing setups. Which specific commit are you referring to now? > Testing everything really carefully is surely the hardest part. Yes. >From the 9.11 repo I have (so far) found the following commits to use: https://gitlab.isc.org/isc-projects/bind9/-/commit/8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34 https://gitlab.isc.org/isc-projects/bind9/-/commit/75faeefcab47e4f1e12b358525190b4be90f97de https://gitlab.isc.org/isc-projects/bind9/-/commit/db083a21726300916fa0b9fd8a433a796fedf636 https://gitlab.isc.org/isc-projects/bind9/-/commit/b38552cca7200a72658e482f8407f57516efc5db I have not tried to apply them yet. Cheers // Ola > > Sean Whitton > > cu > Adrian > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
